Practice Free CISA Exam Online Questions
Question #11
Which of the following is the BEST way to determine the adequacy of controls for detecting inappropriate network activity in an organization?
- A . Reviewing SIEM reports of suspicious events in a timely manner
- B . Reviewing business application logs on a regular basis
- C . Troubleshooting connectivity issues routinely
- D . Installing a packet filtering firewall to block malicious traffic
Correct Answer: A
Question #12
Which of the following is MOST important to define within a disaster recovery plan (DRP)?
- A . Business continuity plan (BCP)
- B . Test results for backup data restoration
- C . A comprehensive list of disaster recovery scenarios and priorities
- D . Roles and responsibilities for recovery team members
Correct Answer: D
D
Explanation:
The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1
D
Explanation:
The most important thing to define within a disaster recovery plan (DRP) is the roles and responsibilities for recovery team members, as this ensures that everyone knows what to do, who to report to, and how to communicate in the event of a disaster. A business continuity plan (BCP) is a broader document that covers the overall strategy and objectives for maintaining or resuming business operations after a disaster. Test results for backup data restoration are important to verify the integrity and availability of backup data, but they are not part of the DRP itself. A comprehensive list of disaster recovery scenarios and priorities is useful to identify the potential risks and impacts of different types of disasters, but it is not as critical as defining the roles and responsibilities for recovery team members.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.3: Disaster Recovery Planning1
Question #13
Which of the following is the GREATEST risk associated with storing customer data on a web server?
- A . Data availability
- B . Data confidentiality
- C . Data integrity
- D . Data redundancy
Correct Answer: B
B
Explanation:
The greatest risk associated with storing customer data on a web server is data confidentiality. Data confidentiality is the property that ensures that data are accessible only to authorized entities or individuals, and protected from unauthorized disclosure or exposure. Storing customer data on a web server poses a high risk to data confidentiality, as web servers are exposed to the internet and may be vulnerable to various types of attacks or breaches that can compromise the security and privacy of customer data, such as hacking, phishing, malware, denial of service (DoS), etc. Customer data may contain sensitive or personal information that can cause harm or damage to customers or the organization if disclosed or exposed, such as identity theft, fraud, reputation loss, legal liability, etc. Data availability is the property that ensures that data are accessible and usable by authorized entities or individuals when needed. Data availability is a risk associated with storing customer data on a web server, as web servers may experience failures or disruptions that can affect the accessibility and usability of customer data, such as hardware faults, network issues, power outages, etc. However, data availability is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data integrity is the property that ensures that data are accurate and consistent, and protected from unauthorized modification or corruption. Data integrity is a risk associated with storing customer data on a web server, as web servers may be subject to attacks or errors that can affect the accuracy and consistency of customer data, such as injection attacks, tampering, replication issues, etc. However, data integrity is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data redundancy is the condition of having duplicate or unnecessary data in a database or system. Data redundancy is not a risk associated with storing customer data on a web server, but rather a result of poor database design or management.
B
Explanation:
The greatest risk associated with storing customer data on a web server is data confidentiality. Data confidentiality is the property that ensures that data are accessible only to authorized entities or individuals, and protected from unauthorized disclosure or exposure. Storing customer data on a web server poses a high risk to data confidentiality, as web servers are exposed to the internet and may be vulnerable to various types of attacks or breaches that can compromise the security and privacy of customer data, such as hacking, phishing, malware, denial of service (DoS), etc. Customer data may contain sensitive or personal information that can cause harm or damage to customers or the organization if disclosed or exposed, such as identity theft, fraud, reputation loss, legal liability, etc. Data availability is the property that ensures that data are accessible and usable by authorized entities or individuals when needed. Data availability is a risk associated with storing customer data on a web server, as web servers may experience failures or disruptions that can affect the accessibility and usability of customer data, such as hardware faults, network issues, power outages, etc. However, data availability is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data integrity is the property that ensures that data are accurate and consistent, and protected from unauthorized modification or corruption. Data integrity is a risk associated with storing customer data on a web server, as web servers may be subject to attacks or errors that can affect the accuracy and consistency of customer data, such as injection attacks, tampering, replication issues, etc. However, data integrity is not the greatest risk associated with storing customer data on a web server, as it does not affect the security and privacy of customer data. Data redundancy is the condition of having duplicate or unnecessary data in a database or system. Data redundancy is not a risk associated with storing customer data on a web server, but rather a result of poor database design or management.
Question #14
A cloud access security broker (CASB) administers the user access of a Software as a Service {SaaS) on behalf of the customer organization.
When conducting an audit of the service, which of the following is MOST important for the IS auditor to confirm?
- A . The CASB logs the access request as a service record that is reviewed after granting access.
- B . The CASB verifies the access request from a named customer contact before granting access.
- C . The CASB manages secure access to the federated directory service used by the SaaS application.
- D . The CASB conducts periodic audits of access requests to ensure compliance with customer policy.
Correct Answer: C
Question #15
Which of the following is the PRIMARY advantage of using an automated security log monitoring tool instead of conducting a manual review to monitor the use of privileged access?
- A . Reduced costs associated with automating the review
- B . Increased likelihood of detecting suspicious activity
- C . Ease of storing and maintaining log file
- D . Ease of log retrieval for audit purposes
Correct Answer: B
Question #16
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months.
Which of the following is the BEST course of action?
- A . Require documentation that the finding will be addressed within the new system
- B . Schedule a meeting to discuss the issue with senior management
- C . Perform an ad hoc audit to determine if the vulnerability has been exploited
- D . Recommend the finding be resolved prior to implementing the new system
Correct Answer: A
A
Explanation:
Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers& Explanations Database, Question ID 209
A
Explanation:
Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers& Explanations Database, Question ID 209
Question #17
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes.
Which of the following is the BEST approach?
- A . Evaluate key performance indicators (KPIs).
- B . Conduct a gap analysis.
- C . Develop a maturity model.
- D . Implement a control self-assessment (CSA).
Correct Answer: C
Question #18
Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
- A . Risk management
- B . Business management
- C . IT manager
- D . Internal auditor
Correct Answer: B
Question #19
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
- A . Conduct periodic on-site assessments using agreed-upon criteria.
- B . Periodically review the service level agreement (SLA) with the vendor.
- C . Conduct an unannounced vulnerability assessment of vendor’s IT systems.
- D . Obtain evidence of the vendor’s control self-assessment (CSA).
Correct Answer: A
A
Explanation:
The most effective method to verify that a service vendor keeps control levels as required by the client is to conduct periodic on-site assessments using agreed-upon criteria. On-site assessments can provide direct evidence of whether the vendor’s controls are operating effectively and consistently in accordance with the client’s expectations and requirements. Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The other options are not as effective as on-site assessments in verifying the vendor’s control levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor meets its contractual obligations and service standards, but it does not provide assurance of whether the vendor’s controls are adequate or sufficient. Conducting an unannounced vulnerability assessment of vendor’s IT systems can help identify any weaknesses or gaps in the vendor’s security controls, but it may violate the terms and conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the vendor’s CSA can provide some indication of whether the vendor’s controls are self-monitored and reported, but it does not verify whether the vendor’s controls are independent or accurate.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
A
Explanation:
The most effective method to verify that a service vendor keeps control levels as required by the client is to conduct periodic on-site assessments using agreed-upon criteria. On-site assessments can provide direct evidence of whether the vendor’s controls are operating effectively and consistently in accordance with the client’s expectations and requirements. Agreed-upon criteria can ensure that the assessments are objective, relevant, and reliable. The other options are not as effective as on-site assessments in verifying the vendor’s control levels. Periodically reviewing the SLA with the vendor can help monitor whether the vendor meets its contractual obligations and service standards, but it does not provide assurance of whether the vendor’s controls are adequate or sufficient. Conducting an unannounced vulnerability assessment of vendor’s IT systems can help identify any weaknesses or gaps in the vendor’s security controls, but it may violate the terms and conditions of the vendor-client relationship or cause operational disruptions. Obtaining evidence of the vendor’s CSA can provide some indication of whether the vendor’s controls are self-monitored and reported, but it does not verify whether the vendor’s controls are independent or accurate.
Reference: CISA Review Manual (Digital Version), Chapter 5, Section 5.4
Question #20
An IS auditor has been asked to advise on measures to improve IT governance within the organization.
Which of the following IS the BEST recommendation?
- A . Benchmark organizational performance against industry peers
- B . Implement key performance indicators (KPIs).
- C . Require executive management to draft IT strategy
- D . Implement annual third-party audits.
Correct Answer: C
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.
C
Explanation:
The best recommendation to improve IT governance within the organization is C. Require executive management to draft IT strategy. IT governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization1. One of the key objectives of IT governance is to ensure alignment and integration between technology and business strategies, leading to optimal outcomes and value creation1. Therefore, it is essential that executive management, who are responsible for setting the vision, mission, and goals of the organization, are also involved in drafting the IT strategy that supports and enables them. By requiring executive management to draft IT strategy, the organization can:
Ensure that the IT strategy is consistent and coherent with the business strategy, and reflects the organization’s priorities, values, and culture2.
Enhance communication and collaboration between IT and business functions, and foster a shared understanding and commitment to the IT strategy2.
Increase accountability and transparency for IT performance and outcomes, and ensure that IT investments are aligned with the organization’s risk appetite and value proposition2.